blackmoon | 87d4ade9fd758e2116731cc737e16c65f078f1a9d64eb1997a9e3c07f86cf817

Analysis

max time kernel
90s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2022, 20:28

Target

87d4ade9fd758e2116731cc737e16c65f078f1a9d64eb1997a9e3c07f86cf817.dll
Size

3.9MB
MD5

c1a052c50a4512fe254392079dcdfbd9
SHA1

1abdd42b5bf2b54d1b29b1b9b06a2baff1bf52d5
SHA256

87d4ade9fd758e2116731cc737e16c65f078f1a9d64eb1997a9e3c07f86cf817
SHA512

ad36790e776a1ccf9a818d7aa0954051f0e66125e9707135e001aa08595c3ac0d80dc5db7f1cda3ed16c1bf698fb76e575336bffedbfc9c4679560865d66611c
SSDEEP

98304:h4AAw7+4X0Iouq6OwF/fki9WzxjvFzCPmqQ:fV0Ioj6O2k8Wtjtb

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral2/memory/2132-134-0x0000000010000000-0x000000001043D000-memory.dmp	family_blackmoon
behavioral2/memory/2132-135-0x0000000010000000-0x000000001043D000-memory.dmp	family_blackmoon
behavioral2/memory/2132-136-0x0000000010000000-0x000000001043D000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

resource	yara_rule
behavioral2/files/0x0004000000022e0e-137.dat	aspack_v212_v242

Loads dropped DLL 1 IoCs

pid	Process
2132	rundll32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\987561.bmd	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2892	2132	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2132	4888	rundll32.exe	82
PID 4888 wrote to memory of 2132	4888	rundll32.exe	82
PID 4888 wrote to memory of 2132	4888	rundll32.exe	82

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87d4ade9fd758e2116731cc737e16c65f078f1a9d64eb1997a9e3c07f86cf817.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\87d4ade9fd758e2116731cc737e16c65f078f1a9d64eb1997a9e3c07f86cf817.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 676
    3⤵
    - Program crash
    PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2132 -ip 2132
1⤵
PID:2396

C:\Windows\SysWOW64\987561.bmd

Filesize
1.9MB

MD5
aae2c15f00256d1a50cd72665e267f36

SHA1
de15c39b155a45782313d5523f93e4dcdefe59ac

SHA256
691feff90464a118c8390a8d366d6ab407a0642e6d0c937a293f639e23eabe2f

SHA512
9fb4751b44e279a3e73131ce5debeb1cac9805a31063cdc265c3cd945db1e7f14dc62a38595bc2311d110467fcb898023a158cf6063cde7939e1fd97ff0a8122

Download Submit
memory/2132-134-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/2132-133-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/2132-135-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/2132-136-0x0000000010000000-0x000000001043D000-memory.dmp

Filesize
4.2MB

Download
memory/2132-138-0x0000000075270000-0x00000000756F8000-memory.dmp

Filesize
4.5MB

Download
memory/2132-139-0x0000000002380000-0x000000000243F000-memory.dmp

Filesize
764KB

Download
memory/2132-141-0x0000000075270000-0x00000000756F8000-memory.dmp

Filesize
4.5MB

Download